Vulnhub Bsides Vancouver 2018 walkthrough

It’s an easy challenge, but since there are 2 distinct ways to obtain root, this is a nice opportunity to test for different vulnerabilities and try different tools.

LITTLE WARNING: This is going to be a crazy long walkthrough because I’m going to detail my methodology (pentest style) including what didn’t work, as well as many different tools and manual exploitation techniques (because you can’t rely too much on tools).
I want to give you as many ideas as possible that you can later apply on real-life penetration tests, and not just what “magically” works.

Reconnaissance

Port 21

Nmap shows that anonymous FTP is allowed on port 21, so let’s see what’s on this FTP server by visiting ftp://192.168.4.3. It contains a folder named “public”. Inside it is a very interesting file:
These usernames will probably come in handy later.

Port 80

At first sight, there is nothing but a default page on the Web server:

Enumerating Wordpress users

A good scanner that I like using on Wordpress sites is wpscan. It helps find the version of Wordpress in use, its known vulnerabilities and also enumerate users.
In this case, there are 2 Wordpress users, admin and john:

Sometimes, during penetration testing, it is not possible to run automatic tools like wpscan. On a few pentest engagements, we had the client forbid us from running any scanners except for Nmap, to avoid any chance of disrupting production servers.

In these cases, user enumeration can also be performed manually. The error messages returned are different whether the username entered is valid or not:

From this behavior, we can also deduce that “admin” and “john” are valid usernames.

Bruteforcing Wordpress passwords

wpscan can also be used to bruteforce Wordpress login passwords, although technically, it is not bruteforce but a dictionary attack.
I prefer using the wordlist SecLists/Passwords/Common-Credentials/10k-most-common.txt first and, if it doesn’t contain the password, then I try /usr/share/wordlists/rockyou.txt which is a lot bigger (so the attack might take a lot more time).

So, now we have authenticated access to the Wordpress administration interface:

Port 22

Finding authentication methods supported by the SSH server

We already have a list of users (ftp://192.168.4.3/public/users.txt.bk) but before we start bruteforcing their SSH passwords, let’s check if password authentication if allowed for each one of them.
Always start with this step because bruteforcing an SSH account that can only be accessed with public key authentication for example would be a huge waste of time.

According to this, anne is in the sudoers group. So she can easily become root and read the sought after flag:

[email protected]:~$sudo su
[sudo] password for anne:
[email protected]:/home/anne#cd[email protected]:~#lsflag.txt
[email protected]:~#cat flag.txt
Congratulations!
If you can read this, that means you were able to obtain *root* permissions on this VM.
You should be proud!
There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?
@abatchy17

The results are concatenated to the end of the page and not directly visible:

All we have to do to see them is select everything inside the rectangle (with white borders & black background) at the bottom of the page or look at the source code:

This is stealthier that uploading a plugin / media file: only one PHP theme file is modified, so the chances of getting caught during real engagements are lower. The other two methods add a new Wordpress plugin or Media file, and an admin would quickly notice it!

But the problem with this method for this particular challenge is that I could not upgrade the webshell to a Meterpreter shell (didn’t work, don’t know why)! And I really prefer Meterpreter to limited basic PHP shells.

Method 3: Automatically getting a shell with Yertle

We can also automate the process of uploading a Webshell with yertle.py, a script included in WPForce:

So we can modify its contents and put any commands inside it. And they would be run with root privileges because the cron job runs the script as root!
This is a simple and effective method for gaining root access.

Here is a simple proof of concept:

First, we’ll backup the cleanup file before we modify it:

meterpreter > cp /usr/local/bin/cleanup /tmp/cleanup.bak

Then let’s add the command that we want to run as root to the end of the cleanup script:

Before we continue, let’s replace the cleanup script with its original version to keep it clean:

meterpreter > mv /tmp/cleanup.bak /usr/local/bin/cleanup

Cron jobs

Sometimes you will not be able to upload and install additional files to a target system. Maybe the pentest rules will forbid you from making any changes to the filesystem, or too many missing dependencies will be missing with no internet to install them, etc.
So LinEnum is great but you should be able to obtain the same information yourself, manually.

Cron jobs can be defined in different places depending on their type (system or user-defined cron jobs):

/etc/crontab

/etc/cron.d

/etc/cron.daily

/etc/cron.hourly

/etc/cron.monthly

/etc/cron.weekly

By reading them one by one with cat, we are able to detect scripts that are interesting for privilege escalation, just as with LinEnum:

Important remark: Since the Cron job running our script runs every minute, a new Meterpreter shell is started every minute! To stop this behavior, quickly replace our modified cleanup file with the original one:

meterpreter > mv /tmp/cleanup.bak /usr/local/bin/cleanup

Now, we can continue as root and get the challenge flag:

sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 30254 created.
Channel 0 created.
id
uid=0(root) gid=0(root) groups=0(root)
cat flag.txt
Congratulations!
If you can read this, that means you were able to obtain *root* permissions on this VM.
You should be proud!
There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?
@abatchy17

Vulnerabilities found

Here is a quick rundown of the vulnerabilities found while solving this challenge:

Anonymous FTP enabled

Trivial credentials used on Wordpress Web application & SSH server

Cron job running World-writable script with root permissions

If you have any questions or suggestions, please leave a comment at the bottom of this page, a tweet or a message via our contact page.
See you next time!